The following post highlights the rise of SASE and provides a good SASE definition. Firstly, the SASE meaning is down to the environment that we are in. In a cloud-centric world, users and devices require access to services everywhere. The focal point has changed. Now it is the identity of the user and device as opposed to the traditional model that focused solely on the data center with a bunch of network security components. These environmental changes have created a new landscape we must protect and connect.
Many common problems challenge the new landscape. Due to deployed appliances for different technology stacks, enterprises are loaded with complexity and overhead. The legacy network and security designs increase latency. In addition, the world is encrypted when considering Zero Trust SASE. This needs to be inspected without degrading application performance.
For additional pre-information, you may find the following helpful for pre-information:
These are reasons to leverage a cloud-delivered secure access service edge (SASE). SASE meaning consists of a tailored network fabric: optimized where it makes the most sense for the user, device, and application – at geographically dispersed PoPs enabling technologies that secure your environment with technologies such as single packet authorization.
- A key point: Video on SASE deployment.
In the following video, we are going to address SASE deployment. In particular, we will look at the Cisco version of SASE with Cisco Umbrella. We will look at a sample SASE design consisting of several PoPs geographically depressed, along with what each of these PoPs may look like. Keep in mind that SASE is not a one-box solution; everyone will have different networking and security requirements, and I will offer some guidance on starting a SASE project. I think the best place to start a SASE project is with SD-WAN. SD-WAN is mainstream now and has some great SD-WAN security features.
The rise of SASE and digital transformation
There has been a loss of confidence in the network. As a result, organizations uncover weaknesses in their networks when they roll out digital initiatives. This seems to be true for MPLS backbones and in some SD-WAN designs, where there is a lag in security, cloud connectivity, mobility, and site connectivity. Confidence in SD-WAN and MPLS has significantly decreased when confronted with the digital structure of network transformation. Intrinsically, SD-WAN is not an all-in-one-encompassing solution, whereas MPLS is rigid and fixed.
It is common to find that before adopting digital transformation, they were more confident in their networks than in post-digital transformations. Therefore, it is difficult to predict the impact of digital transformation on networks. Enterprises must ensure they have the proper infrastructure with the correct performance and security levels. Digital transformation is not just about replacing MPLS. Networking professionals must broaden their focus to encompass security, cloud, and mobility.
WAN Transformation: SASE Meaning
All these problems can be avoided by switching to SASE, a new enterprise networking technology category introduced by Gartner in 2019. SASE meaning is the convergence of security, cloud connectivity, mobility, and site connectivity: enabling the architecture to correlate disparate data points. It is an all-in-one encompassing solution that provides a ready-made solution for the WAN transformation journey. Gartner expects at least 40% of enterprises to have explicit strategies to adopt SASE by 2024.
Today, customers are looking for a WAN transformation solution that connects and secures all edges – sites, cloud resources, mobile users, and anything else that might emerge tomorrow. MPLS is not the right approach, and some SD-WAN deployments are causing question marks. So, a SASE definition, on the other hand, assists significantly in post-digital transformation. So, let us shine the torch on some of the digital transformation challenges likely to surface. These challenges include complexity with management and operations, site connectivity, performance between locations, inefficient security, and cloud agility.
SASE Definition: Secure Access Service Edge (SASE)
The SASE definition combines network security functions (such as SWG, CASB, FWaaS, and Zero Trust Network Access (ZTNA) with SD-WAN to support organizations’ dynamic, secure access needs. These capabilities are delivered by XaaS primarily and are based on the entity’s identity, real-time context, and security/compliance policies. SASE changes the focal point to the identity of the user and device. With traditional network design, this was the on-premises data center. The traditional enterprise network and network security architectures place the internal data center as the focal point for access. These designs are proving ineffective and cumbersome with the rise of cloud and mobile. Traffic patterns have changed considerably, and so has the application logic.
- A key point: “Software-defined” secure access
SASE consolidates networking and security-as-a-service capabilities into a cloud-delivered secure access service edge. The cloud-delivered service provides you with policy-based “software-defined” secure access. The “software-defined” secure access consists of a worldwide fabric of points of presence (POPs) and peering relationships. With the PoP design, the general architecture is to move inspection engines to the sessions, not reroute the engines’ sessions as traditional designs do. This design is more aligned with today’s traffic patterns and application logic.
- SASE offers a tailorable network fabric comprising the SASE PoPs geographically dispersed.
The architecture allows you to accurately specify every network session’s performance, reliability, security, and cost. This is based on identity and context. For practical, secure access, decisions must be centered on the entity’s identity at the source of the connection. And not a traditional construct such as the IP address or mere network location. The requesting entity can be the user, device, branch office, IoT device, edge computing location, and policy based on these parameters.
- A key point: Security and Identity
With a SASE platform, when we create an object, such as a policy in the networking domain and is then available in other domains, such as security. So any policies assigned to users are tied to that user regardless of network location. This removes the complexity of managing network and security policies across multiple locations, users, and devices. Again, all of this can be done from one platform. Also, when examining security solutions, many buy individual appliances that focus on one job. To troubleshoot, you need to gather information, such as the logs from each device. A SIEM is valuable but can only be used in some organizations as a resource-heavy. For those that don’t have ample resources, the manual process is backbreaking, and there will be false positives.
SASE Definition with Challenge 1: Managing the Network
If you look across the entire networking and security industry, everyone is selling individual point solutions that are not a holistic joined-up offering. Thinking only about MPLS replacement leads to incremental, point solution acquisitions when confronted by digital initiatives, making their networks more complex and costly. Principally, distributed appliances for both network and security at every location require additional tasks such as installation, ongoing management, regular updates, and refreshes. This results in far too many security and network configuration points. We see this all the time with NOC and SOC integration efforts.
Numerous integration points
The point-solution approach addresses one issue and requires a considerable amount of integration. Therefore, you must constantly add solutions to the stack, likely resulting in management overhead and increased complexity. Let’s say you are searching for a new car. Would you prefer to build the car with all the different parts or buy the already-built one? In the same way, if we examine the network and security industry, the way it has been geared up presently is provided in parts. It’s your job to support, manage and build the stack over time, and scale the stacks when needed. Fundamentally, it would help if you were an expert in all the different parts. However, if you abstract the complexity into one platform, you don’t need to be an expert in everything. SASE is one of the effective ways to abstract management and operational complexity.
SASE Meaning: How SASE solves this
Converging network and security into a single platform does not require multiple integration points. This will eliminate the need to deploy these point solutions and the complexities of managing each. Essentially, with SASE, we can bring each point solution functionalities together and place them under one hood – the SASE cloud. SASE merges all of the networking and security capabilities into a single platform.
This way, you now have a holistic joined-up offering. Customers don’t need to perform upgrades, size, and scale their network. Instead, all of this is done for them in the SASE cloud that creates a fully-managed and self-healing architecture. Besides, the convergence is minimal if something goes wrong in one of the SASE Pops. All of this is automatic, and there is no need to set up new tunnels or have administrators step in to perform configurations.
SASE Definition with Challenge 2: Site Connectivity
SD-WAN appliances require other solutions for global connectivity and to connect, secure, and manage mobile users and cloud resources. As a result, many users are turning to Service Providers to handle the integration. The carrier-managed SD-WAN providers integrate a mix of SD-WAN and security devices to form SD-WAN services. Unfortunately, this often makes the Service Providers inflexible in accommodating new requests. The telco’s lack of agility and high bandwidth costs will continue to be a problem. The time taken to deploy new locations has been the biggest telco-related frustration, especially when connecting offices outside of the telco’s operating region to the company’s MPLS network. For this, they need to integrate with other telcos.
SASE Meaning: How SASE solves this
SASE handles all of the complexities of management. As a result, the administrative overhead for managing and operating a global network that supports site-to-site connectivity and enhanced security, cloud, and mobility is kept to an absolute minimum.
SASE Definition with Challenge 3: Performance Between Locations
The throughput is primarily determined by latency and packet loss, not bandwidth. Therefore, for an optimal experience for global applications, we need to explore ways to manage the latency and packet loss end-to-end for last-mile and middle-mile segments. Most SD-WAN vendors don’t control these segments, affecting application performance and service agility. Consequently, there will be constant tweaking at the remote ends to attain the best performance for your application. With SD-WAN, we can bundle transports and perform link bonding to solve the last mile. However, this does not create any benefits for the middle mile bandwidth. MPLS will help you overcome the middle-mile problems, but you will likely pay a high price.
SASE Meaning: How SASE solves this
The SASE cloud already has an optimized converged network and security platforms. Therefore, sites need to connect to the nearest SASE PoP. This way, the sites are placed on the global private backbone to take advantage of global route optimization, dynamic path selection, traffic optimization, and end-to-end encryption. The traffic can also be routed over MPLS, directly between sites (not through the SASE PoP), and from IPsec tunnels to third-party devices. The SASE architecture optimizes the last and middle-mile traffic flows.
The SASE global backbone has several techniques that improve the network performance, resulting in predictable, consistent latency and packet loss. The SASE cloud has complete control of each PoP and can employ optimizations. It uses proprietary routing algorithms that factor in latency, packet loss, and jitter. These routing algorithms favor performance over cost and select the optimal route for every network packet. This is compared to Internet routing, where metrics don’t consider what is best for the application or the application type.
SASE Definition with Challenge 4: Cloud Agility
Cloud applications are becoming the most critical to organizations, even more severe than those hosted in their private data centers. When delivering cloud resources, we need to consider more than just providing connectivity. In the past, when we spoke about agility, we were concerned only with the addition of new on-premises sites. However, now this conversation needs to encompass the cloud. Primarily, delivering cloud applications is about providing an application experience that is as responsive as the on-premises applications. However, most SD-WANs have a low response rate for rapidly delivering new public cloud infrastructure. MPLS is expensive, rigid, and not built for cloud access.
SASE Meaning: How SASE solves this
SASE natively supports cloud data centers (IaaS) and applications (SaaS) without additional configuration, complexity, or point solutions enabling built-in cloud connectivity. This further enables the rapid delivery of new public cloud infrastructure. The SASE PoPs are collocated in the data centers, directly connected to the IXP of the leading IaaS providers, such as Amazon AWS, Microsoft Azure, and Google Cloud Platform. In addition, cloud applications are optimized through SASE’s ability to define the egress points. This helps exit the cloud application traffic at the points closest to the customer’s application instance.
The optimal global routing algorithms can determine the best path from anywhere to the customer’s cloud application instance. This provides optimal performance to the cloud applications regardless of the user’s location. So when we talk about performance to the cloud with SASE, the latency to the cloud is comparable to the optimized access provided by the cloud providers, such as AWS Direct Connect or Azure Express Route. So authentically, SASE provides out-of-the-box cloud performance.
SASE Definition with Challenge 5: Security
The security landscape is constantly evolving. Therefore, network security solutions must evolve to form a well-founded landscape. Ransomware and Malware will continue to be the primary security concerns from 2020 onward. This is a challenge for the entire organization to combat the various solutions designed with complex integration points scattered through the network domain. Security must be a part of any WAN transformation initiative protecting the users and resources regardless of the underlying network managed through a single-pane-of-glass.
However, a bundle of non-integrated security products results in appliance sprawl that hinders your security posture instead of strengthening it. The security solution must defend against emerging threats like malware/ransomware. In addition, it must boost the ability to enforce corporate security policies on mobile users. Finally, the security solution must also address the increasing cost of buying and managing security appliances and software.
- A key point: Security and encryption
So we know there is an increase in complexity due to the disparate tools required to address the different threat vectors. So, for example, we have DLP that can be spread across the SWG, CASB, and DLP but with three different teams managing each. What about the impact of encrypted web traffic on the security infrastructure? The issue is that most internet traffic is now encrypted, and attackers deliver the payloads, deliver command and control instructions, and exfiltrate data over encrypted protocols. Organizations cannot decrypt all network traffic for performance reasons and avoid looking at sensitive employee information. Also, the issues with the scalability of encrypted traffic management solutions. This can, too, cause performance issues.
- A key point: MPLS and SD-WAN
MPLS does not protect the resources and users, certainly not those connected to the Internet. On the other hand, SD-WAN service offerings are not all created equal since many do not include firewall/security features for threat protection to protect all edges – mobile devices, sites, and cloud resources. This lack of integrated security complicates SD-WAN deployments. Also, this often leads to Malware getting passed the perimeter unnoticed.
- A key point: The cost involved
Security solutions are expensive, and there is never a fixed price. Some security vendors may charge on the usage models for which you don’t yet have the quantity. This makes the process of planning extremely problematic and complex. As the costs keep increasing, we often find that security professionals would trade off point-security solutions due to the associated costs. This is not an effective risk-management strategy. The security controls are also limited to mobile VPN solutions. More often than not, they are very coarse, forcing IT to open access to all the network resources. Protecting mobile users requires additional security tools, such as next-generation firewalls (NGFWs). So again, we have another point solution. In addition, mobile VPN solutions provide no last- or middle-mile optimization.
SASE Meaning: How SASE solves this
SASE converges a complete security stack into the network, allowing SASE to bring granular control to sites and mobile and cloud resources. This is done by enforcing the zero-trust principles for all edges. SASE provides the capability of anti-malware protection for both WAN and Internet traffic. In addition, for malware detection and prevention, SASE can offer signature and machine-based learning protection consisting of several integrated anti-malware engines.
For malware communication, SASE can stop the outbound traffic to C&C servers based on reputation feeds and network behavioral analysis. Mobile user traffic is fully protected by SASE’s advanced security services, including NGFW, secure web gateway (SWG), threat prevention, and managed threat detection and response. Furthermore, in the case of mobile, SASE mobile users can dynamically connect to the closest SASE PoP regardless of the location. Furthermore, as discussed previously, all relevant optimizations performed by the SASE cloud are available for mobile users.
- Rethink the WAN
The shift to the cloud, edge computing, and mobility offer new opportunities for IT professionals. To support these digital initiatives, the network professionals must rethink their approach to the WAN transformation. WAN transformation is not just about replacing MPLS with SD-WAN. It needs an all-encompassing solution that provides the proper network performance and security level for enhanced site-to-site connectivity, security, mobile, and cloud.
SASE Meaning: SASE wraps up
SASE is a network and security architecture consolidating numerous network and security functions, traditionally delivered as siloed point solutions, into an integrated cloud service. It does this by combining several network and security capabilities along with cloud-native security functions. The functions are delivered from the cloud and provided by the SASE vendor. They are essentially providing a consolidated, platform-based approach to security. We have a cloud-delivered solution consolidating multiple edge network security controls and network services into a unified solution with centralized management and distributed enforcement.
The appliance-based perimeter
Even Though there has been a shift to the cloud, the traditional perimeter network security solution has remained appliance-based. The shift for moving security controls to the cloud is for better protection and performance, plus ease of deployment and maintenance. The initial performance of the earlier cloud-delivered solutions has been overcome, and this was overcome with the introduction of optimized routing and global footprint. Although, there is a split in opinion about performance and protection. Many consider protection and performance to be prime reasons to remain on-premises and keep the network security solutions on-premises.
Main Checklist Points To Consider